The Best Ransomware Protection for 2019

When a ransomware attack turns your most important files into encrypted gibberish, and paying to get those files back is your only option, you're in big trouble. Choose the best ransomware protection for your PC to prevent those attacks from ever happening.

Bottom Line: Check Point ZoneAlarm Anti-Ransomware is one of the most effective ransomware-specific security tools we've seen. In testing, it showed complete success against all our real-world samples.

Bottom Line: The consequences of a ransomware attack are dire, so supplementing your antivirus with a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install i...

Bottom Line: Bitdefender Anti-Ransomware vaccinates your PC against infection by four specific ransomware families, and testing shows that it does the job. But you'll need some other kind of protection t...

Bottom Line: It's very good of Trend Micro to make RansomBuster available for free, and its Folder Shield successfully prevents unauthorized changes to your documents. However, the behavior-based detecti...

Neil J. RubenkingThe Best Ransomware Protection for 2019When a ransomware attack turns your most important files into encrypted gibberish, and paying to get those files back is your only option, you're in big trouble. Choose the best ransomware protection for your PC to prevent those attacks from ever happening.

Why You Need Ransomware Protection

You've done your due diligence, installing antivirus protection on all of your computers. Now you can sit back and relax, confident that even if some rare zero-day attack gets past your layers of protection, the antivirus company will push out an update that clears up the problem in a day or two. Relax! Or maybe…don't. If the sneak attack that got through your defenses was ransomware, the damage is done. Your files are encrypted. Quarantining the culprit process after the fact can't do a thing about your inaccessible encrypted files. That's why it makes sense to supplement your antivirus with a partner app that's solely focused on ransomware. Ransomware-specific apps tend to be cheap, or free, so upping your protection game won't break the bank.

It's even worse when your business gets attacked by ransomware. Depending on the nature of the business, every hour of lost productivity might cost thousands of dollars, or even more. Fortunately, while ransomware attacks are on the rise, so are techniques for fighting those attacks. Here we look at anti-ransomware tools you can use to protect yourself from ransomware.

What Is Ransomware, and How Do You Get It?

The premise of ransomware is simple. The attacker finds a way to take something of yours, and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn't pose the same level of threat as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately this last type is uncommon.

If you're hit by a ransomware attack, you won't know it at first. It doesn't show the usual signs that you've got malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.

As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company's domain. That seems to be what happened with the WannaCry ransomware attack. If you have the slightest doubt as to the legitimacy of the email, don't click the link, and do report it to your IT department.

Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.

CryptoLocker and Other Encrypting Malware

Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.

Ransomware Removal

Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.

Even so, there's a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that's a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.

But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.

Anti-Ransomware Strategies

A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection. And it only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can't bring back the files.

Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at ransomware behaviors is becoming more common.

Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!

Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company's tech support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.

Detecting Ransomware Behavior

Cybereason's free RansomFree utility has just one purpose: to detect and avert ransomware attacks. One very visible feature of this utility is its creation of "bait" files in locations typically targeted by ransomware. Any attempt to modify these files triggers a ransomware takedown. It also relies on other forms of behavior-based detection, but its creators are naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid?

Malwarebytes Anti-Ransomware Beta, CryptoDrop Anti-Ransomware, and a few others also use behavior-based detection to take down any ransomware that gets past your regular antivirus. They don't use "bait" files; rather they keep a close eye on how programs treat your actual documents. On detecting ransomware, they quarantine the threat.

Check Point ZoneAlarm Anti-Ransomware also used bait files, but they're not as visible as RansomFree's. And it clearly uses other layers of protection. It defeated all of our real-world ransomware samples in testing, fixing any affected files and even removing the spurious ransom notes that one sample displayed.

Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn't unlimited in size, and advises keeping all important files backed up.

If the free Trend Micro RansomBuster detects a suspicious process attempting file encryption, it backs up the file and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. In testing, this feature missed half of the real-world ransomware samples we inflicted on it. Trend Micro confirms that ransomware protection is better with the multi-layered protection of Trend Micro Antivirus+ Security.

The main purpose of Acronis True Image is backup, of course, but the Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.

Now you can get that same Active Protection for free, in the form of Acronis Ransomware Protection. This utility works alongside your antivirus as another layer of protection against ransomware, and includes 5GB of storage for backups of your most important files. Acronis Ransomware Protection can restore files damaged by ransomware from a local cache; the online backup is yet another line of defense.

The Data Hjiacking Protection feature in Qihoo 360 Total Security watches for ransomware behavior. However, rather than terminate suspect processes, it simply prevents them from accessing files in specific protected locations such as the Documents folder. In testing, we couldn't goad it into action. Ransomware-specific detection in G Data Antivirus, on the other hand, visibly did its job. When we turned off the regular real-time antivirus and released some ransomware samples, it caught them red-handed. Quick Heal Internet Security also claims to detect ransomware by its behavior, but since it offered no way to disable antivirus protection without also disabling ransomware protection, we couldn't test it.

Preventing Unauthorized Access

If a brand-new ransomware program gets past Bitdefender Antivirus Plus, it won't be able to do much damage. Bitdefender blocks attempts by any unauthorized program to modify, delete, or create files in a protected folder. And the list of protected folders includes Documents, Desktop, Pictures, Music, and Videos, as well as folders on file-syncing services such as OneDrive, Dropbox, Box, and Google Drive. Avast has recently added a very similar feature to Avast Internet Security and Avast Premier.

In Trend Micro's antivirus, the Folder Shield feature protects files in Documents and Pictures, in local folders that represent online storage, and on USB drives. The free, standalone RansomBuster just protects two selected folders, and their subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. In addition, the company offers a ransomware hotline that's available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.

Panda Dome Essential and Panda Dome Complete offer a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file's data, so it balks data-stealing Trojans too.

Testing this sort of defense is easy enough. We wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection. We attempted to access and modify protected files. And in almost every case we verified that the defense worked. The exception was Qihoo 360, which only blocks access by programs it also deems suspicious.

File Recovery

The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attack. We expect to see similar features in other backup tools.

Acronis Ransomware Protection can restore files damaged by ransomware from a local cache. Like its big brother True Image, it offers online backup as another option for recovery, but just 5GB of storage. CryptoDrop Anti-Ransomware maintains copies of your sensitive files in a secure folder that's not visible to any other processes.

As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that turn out to be ransomware.

In addition to behavior-based malware detection, Quick Heal also maintains a silent, encrypted backup of your document files. However, recovery of those files is not automatic. Once you get rid of the ransomware, you must contact tech support for help with recovery.

Ransomware Vaccination

Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include some kind of check to make sure they don't attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.

Bitdefender Anti-Ransomware very specifically prevents infestation by TeslaCrypt, BTC-Locker, Locky, and that first edition of Petya. It has no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly can't help against a brand-new strain, the way a behavior-based detection system can. This kind of protection has its limits, but it can be an effective part of a multi-layered strategy.

Testing Anti-Ransomware Tools

The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.

In addition, ransomware samples are tough to deal with. For safety, we run them in a virtual machine with no connection to the internet or network. Some won't run at all in a virtual machine. Others do nothing without an internet connection. And they're just plain dangerous! When analyzing a new sample, determining whether to add it to the collection, we keep a link open to a log folder on the virtual machine host. Twice now we've had a ransomware sample reach out and start encrypting those logs.

KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but we don't treat a low score as a minus. Some behavior-based systems such as RansomFree don't detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.

What's Not Here

This article looks specifically at ransomware protection solutions that are available to consumers. There's no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.

CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. We can't recommend this tool in its current form.

The Kure isn't precisely a ransomware solution. It restores your PC to a clean, malware-free state every time you reboot, exempting areas like the Documents folder from this "Groundhog Day" effect. Thus a reboot would wipe active ransomware but would leave your files encrypted. To get around this, The Kure maintains a hidden, encrypted copy of files in those exempted folders.

We've also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Bitdefender GravityZone Elite and Sophos Intercept X, for example, are beyond the scope of our reviews, worthy though these services may be.

Acronis True Image provides dandy ransomwware protection and recovery, but at heart it's a backup tool. We gave its place in the chart at top to its ransomware-focused sibling, Acronis Ransomware Protection.

An Ounce of Prevention

Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware and CyberSight RansomStopper are our top choices for ransomware-specific security protection. Both detected all of our ransomware samples, including the disk-encrypting Petya. ZoneAlarm repaired all files damaged by the ransomware, while RansomStopper completely prevented encryption.

You'll note that the blurbs below include a few more products than the chart at top. As more ransomware-specific products appear, they push general-purpose security products from the chart. All the products listed below earned at least three stars.

Bottom Line: With outstanding antivirus test results and a collection of features that puts some security suites to shame, Bitdefender Antivirus Plus is a top choice.

Pros: Successfully protected against real-world ransomware samples and cleaned up all traces of ransomware in testing. Very easy to use.

Cons: Not free like some competing products. Routinely allows (and then reverses) encryption of some files.

Bottom Line: Check Point ZoneAlarm Anti-Ransomware is one of the most effective ransomware-specific security tools we've seen. In testing, it showed complete success against all our real-world samples.

Cons: In testing, did not detect disk-encryption ransomware.

Bottom Line: The consequences of a ransomware attack are dire, so supplementing your antivirus with a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install it.

Bottom Line: When your PC has The Kure installed, you can wipe out malware just by rebooting. Your own documents aren't affected, and it even has the ability to reverse the effects of encrypting ransomware.

Cons: Password manager is limited in features. Many bonus features require separate purchase.

Bottom Line: Avast Internet Security is a full-scale suite, with an antivirus, a robust firewall, a simple spam filter, and a wealth of bonus features. Depending upon your needs, though, the company's free antivirus might be more cost effective.

Bottom Line: G Data Antivirus gets decent marks from the independent testing labs, and it includes components designed to fight ransomware and other specific malware types. However, it gets mixed scores in our hands-on tests.

Cons: Does nothing against other ransomware families.

Bottom Line: Bitdefender Anti-Ransomware vaccinates your PC against infection by four specific ransomware families, and testing shows that it does the job. But you'll need some other kind of protection to handle other ransomware families, and other malware in general.

Bottom Line: Panda Dome Advanced adds parental control and ransomware protection to the features of Panda Dome Essential. It handles ransomware that slips past the entry-level product, but still has some of the lowest test scores.

Cons: Folder Shield limited to two folders. In testing, behavior-based detection only caught half of the real-world ransomware samples.

Bottom Line: It's very good of Trend Micro to make RansomBuster available for free, and its Folder Shield successfully prevents unauthorized changes to your documents. However, the behavior-based detection system needs work.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.